Living the Least Privilege Lifestyle, Part 2: Why Running as a Non-Admin is Safer

• By Don Kiely
• Sep 16, 2005

Like this article? We recommend
.NET Developer's Guide to Windows Security, The

In the first part of this "Living the 'Least Privilege' Lifestyle" series, I made the assertion that the fact that most people run with administrative rights on their local machines is the root cause of many or most of today's security problems. I went on to explain the problems with running as an administrator and just what such privileges mean. I hope that readers of that first installment began to get a bit nervous about how they use their computers every day. In this second installment, I'll attempt to intensify the pain a little more and then discuss why running as a non-admin can alleviate many of the security issues faced by computer users.

Admin Powers = Malware Powers

As I explained in part 1, when you operate a computer logged in as a member of the Administrators group, you can do virtually anything on that machine, including configure and change the operating system, access protected sections of the filesystem and registry, and lots of other things that can potentially cause havoc if you're not careful. And because new system processes by default are created with the same security tokens of the parent process, any malware that runs with your security context can do all of the same things.

To be a little more specific, here's a small sampling of the nastier things that you and malware can do with your security context:

• Install rootkits
• Install system-level keyloggers
• Install ActiveX controls or any other binary apps
• Install, start, and stop services
• Access data for all users
• Set startup code to run whenever anyone logs in
• Replace Windows and app program files with Trojans
• Access Local Service Authority (LSA) secrets
• Disable and uninstall antivirus or anti-spyware software
• Create, modify, and delete user accounts
• Reset passwords
• Modify HOSTS file and system configurations
• Modify logging and logs to hide your tracks
• Render the machine unbootable

And much more.

If you're at all technically savvy, that should be a pretty scary list. The first item is probably the scariest but is new enough to be unfamiliar to many people as yet. A rootkit is a very clever way for a malware writer to hide evidence that a computer is infected with malware. There are plenty of variations, but a rootkit is a program for "hacking root," a UNIX way of saying that the core operating system has been hacked—in this case, to hide evidence that something has been modified or added to your computer without your knowledge. In particular, it modifies the Windows APIs in such a way that evidence of infestation is hidden.

Let's look at a simple example to show what this means. Say that you're a malware author and you've just created the Next Great Worm that will affect Windows machines. In part, your program works by installing two files, WorldDomination.com and StealMoney.com, in the root directory of the target system's drive, usually c:\. Even if you mark the files as hidden and system files, however, it's trivial for even a non-technical user to use Windows Explorer to find those files. The user simply tells Explorer to display hidden and system files, and there they are.

Because your malware depends on those files being in the root directory, you decide to use a rootkit to hide them. When installed along with your malware, the rootkit modifies the low-level system API files—the code that applications call to perform system functions. For example, you might modify the function that enumerates the contents of a filesystem directory. If the next file to be listed is one of your malware files, the hacked code simply skips that file and returns the name of the next file, essentially making your file invisible. Now any tool that lists files will omit your malware files because Windows doesn't list them.

This is an overly simplistic description of rootkits, but they're something to cause concern. If you want to learn more, check out http://www.rootkit.com, which has discussions and plenty of code to explore if you're into low-level Windows internals. Some programs are available that will scan for and remove rootkits. The one I like the best is free from Mark Russinovich at SysInternals: RootkitRevealer.

The point is that in order to install a rootkit you have to have admin privileges because the rootkit modifies the Windows operating system. Without such privileges, a rootkit can't install and malware authors have one less tool to hide their tracks.